Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Arbitrary Code Execution

The Login Activity com.insecureshop.LoginActivity contains the following code. As per the code, the android application obtains all the package names from the android device and creates package context for each package name. If there is any app whose package begins with com.insecureshopapp, the app tries to find com.insecureshopapp.MainInterface and call its getInstance method.

for (android.content.pm.PackageInfo info : getPackageManager().getInstalledPackages(0)) {
            java.lang.String packageName = info.packageName;
            kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(packageName, "packageName");
            if (kotlin.text.StringsKt.startsWith$default(packageName, "com.insecureshopapp", false, 2, (java.lang.Object) null)) {
                try {
                    android.content.Context packageContext = createPackageContext(packageName, 3);
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(packageContext, "packageContext");
                    java.lang.Object value = packageContext.getClassLoader().loadClass("com.insecureshopapp.MainInterface").getMethod("getInstance", new java.lang.Class[]{android.content.Context.class}).invoke((java.lang.Object) null, new java.lang.Object[]{this});
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(value, "packageContext.classLoad…€¦      .invoke(null, this)");
                    android.util.Log.d("object_value", value.toString());
                } catch (java.lang.Exception e) {
                    throw new java.lang.RuntimeException(e);
                }
            }
        }

An attacker can create their own app with a package name that begins with the right prefix, create the specified class with this method, and include in that method code that will then be executed in the context of the victim app.

Exploiting this may be tricky and not really straightforward. Go through the code in LoginActivity well and identify at what point the code execution will take place.

References:

PreviousWeak Host ValidationNextIntent Redirection (Access to Protected Components)

Last updated 3 years ago

Was this helpful?

LogoAndroid: arbitrary code execution via third-party package contextsNews, Techniques & Guides